compress old puppet reports
seth vidal
skvidal at fedoraproject.org
Wed May 18 05:39:22 UTC 2011
On Wed, 2011-05-18 at 00:18 +0200, Jan-Frode Myklebust wrote:
> On Tue, May 17, 2011 at 04:35:00PM -0400, seth vidal wrote:
> >
> > "When changing directories, tmpwatch is very sensitive to possible race
> > conditions and will exit with an error if one is detected. It does not
> > follow symbolic links in the directories it's cleaning (even if a sym‐
> > bolic link is given as its argument), will not switch filesystems,
> > skips lost+found directories owned by the root user, and only removes
> > empty directories, regular files, and symbolic links."
>
>
> Not sure if this is a documentation or code bug, but this doesn't
> seem true on the two RHEL5/6 systems I just tested..
>
>
> > > > It guards against symlink attack by anyone who can run something as
> > > > user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
> > > > somewhere else (/).
> >
> > so in answer to this - no in fact, tmpwatch can't be exploited that way.
> >
>
> $ rpm -q tmpwatch
> tmpwatch-2.9.16-3.el6.x86_64
> $ ln -s /etc/ /var/tmp/test
> $ /usr/sbin/tmpwatch --mtime 720 --test /var/tmp/test/
> removing file /etc/csh.login
> removing file /etc/gimp/2.0/unitrc
> removing file /etc/gimp/2.0/sessionrc
> removing file /etc/gimp/2.0/controllerrc
> removing file /etc/gimp/2.0/menurc
> removing file /etc/gimp/2.0/gimprc
> removing file /etc/gimp/2.0/gtkrc
> <snip>
>
>
then that is a code bug b/c it is specifically docummented as NOT doing
that.
-sv
More information about the infrastructure
mailing list